Duqu: The Next Stuxnet?

Reports of the recently discovered Duqu trojan have spawned much speculation and even resulted in the trojan being dubbed “the son of Stuxnet” or “Stuxnet 2.0.”

So what is Duqu and how does it compare to Stuxnet?

Duqu is an infostealer trojan designed to sniff out sensitive data and send it to remote attackers. Conversely, Stuxnet was a worm with a malicious payload designed to programmatically alter industrial control systems.

I’ve heard Duqu called Stuxnet 2.0. Why is that?

According to analysis performed by F-Secure, code in the kernel driver used by Duqu (jminet7.sys) is very similar to the code used by Stuxnet in mrxcls.sys. The Duqu kernel driver also uses a stolen certificate, issued in Taiwan to a company named C-Media Electronics. Interestingly, the stolen certificate product name still displays as JMicron. Stuxnet also used stolen certificates issued in the same region of Taiwan – and one of those was a stolen certificate issued to JMicron.

Source code for Stuxnet is not known to be “in the wild.” Absent public source code, the most plausible explanation for the coding similarities is that the author(s) of Stuxnet and Duqu are the same.

When was Duqu discovered?

The first reports of Duqu were from an independent research lab on October 14, 2011. Since that initial discovery, Symantec has reported a sample found in their submission database dates back to September 1, 2011. Additionally, Symantec’s analysis of file compilation times suggests Duqu variants may date back to December 2010.

After initial discovery, a second variant was discovered in the wild on October 17, 2011.

Known variants of Duqu do not contain any exploits; likewise, Duqu is a trojan and is not self-propagating. Conversely, Stuxnet employed a very sophisticated system of self-propagation, including the use of the following exploits, four of which were zero-days at the time of discovery:

Duqu appears to be part of a targeted attack designed to gain intelligence on sensitive systems. Targeted attacks, by nature, are not widespread. Thus far, Duqu has been detected at only a small number of companies, mainly in Europe.

If folks are interested, Cisco has just published an Applied Mitigation Bulletin (http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=24455) which contains techniques for both identifying and mitigating potential exploitation of Duqu.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.